DShield Honeypot

DShield Honeypot

The DShield Honeypot is a low interaction honeypot that allows us to collect data for research purposes. The honeypot by
default runs the following clients:

Collecting SSH and Telnet usernames and passwords via Cowrie

An HTTP honeypot collecting full http requests (we are currenctly working on our own. For now, Apache is used

We also collect firewall logs from the honeypot

The honeypot can be installed on a Raspberry Pi or on most Linux systems running a Debian or Redhat based distribution. But most testing has been done with a Raspberry Pi and Ubuntu. For more details about the software, and how to install it, see
our GitHub repository.

Honeypot FAQs

Will running a honeypot increase my risk of an attack?
It should not. This is not an actual vulnerable system. But instead, we are using scripts like Cowrie to simulate a vulnerable
system.

Is it useful to DShield to have a honeypot on a residential DSL/Cable connection or do you need data from large networks?
Absolutely. We need a large number of diverse participants to make this project useful. Even a normal home connection will
likely see several attacks a day.

Can I run the honeypot on a free AWS instance (or other cloud service)?
Yes. The honeypot uses little resources. It should work well on a minimum cloud instanace. It needs only little disk storage
as logs are sent to DShield.

Can the honeypot be hacked? Can it be used to attack others?
We hope not. The honeypot uses scripts to simulate vulnerable services. This is not a vulnerable machine or "full interaction"
honeypot.

How do I report a problem or ask for help?
Report any problems as an "issue" via GitHub. This is the best way for us to track any problems.